New York State Seeks Boost on Bank Cyber Security Defenses

Published at22:09, Feb 25 2015

ALBANY — New York financial regulators are considering tougher cyber security requirements for banks to mandate more complex computer sign-ins and certifications from the contractors of their cyber defenses, the state’s top regulator said Wednesday.

They are already revamping regular examinations of banks and insurance companies by adding targeted assessments of barriers against hackers, Department of Financial Services Superintendent Ben Lawsky said. He’s “deeply worried” that within the next decade, or sooner, there will be “a major cyberattack aimed at the financial system” that could create a run or panic that spills over into the broader economy, he said.

“At DFS, we believe that cyber security is likely the most important issue we will face in 2015 and perhaps for many years to come after that,” Lawsky said in an address at Columbia Law School. Internet architecture has grown up with usernames and passwords to verify identities, but all firms now should now be moving toward “a multi-factor authentication system” with an additional layer of security, he said.

That could be, for example, a randomly generated second password immediately sent to users’ phones when they log in and is then needed for computer system access, Lawsky said. “As a result, if someone steals or guesses your password, they would not be able to get into the system unless they also have your cellphone,” he said.

DFS is also considering random audits of financial firms’ monitoring and filtering computer systems used to spot illicit transactions, Lawsky said. Over the past four years it has reached several multimillion-dollar settlements with banks accused of currency transactions through their New York branches on behalf of clients in countries prohibited from U.S. trade.

“Money is the oxygen feeding the fire that is terrorism. Without moving massive amounts of money around the globe, international terrorism cannot thrive,” he said. Since his office cannot simultaneously audit every bank, he said they are also considering making senior executives personally attest to the adequacy of their monitoring systems.